Symbolic methods for cryptography

Computational Soundness

Symbolic methods for cryptography

Bogdan WarinschiUniversity of Bristol


Toy example

K K

A, N1

{N1, N2, Ks } K

{B, N2}Ks {D}Ks

A B

Is the data D secret?


Security Models

Mathematical model

Security property

Proof method


Abstraction Levels


Abstraction Levels

Inse

curity


Abstraction Levels

Secu

rity


Two types of security models

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method Model

Security property

Proof method


Outline

• A gap between models for encryption:– security definitions – proofs

• Bridging the gap:

– The passive adversaries case: • the Abadi-Rogaway logic • extensions

– The active adversaries case (tomorrow)


Two views of security for encryption schemes


Symbolic treatment of encryption

• Messages are elements from a term algebra: – Data = {D1,D2,…},

– Keys = {K1,K2,…}, – Random nonces = {N1,N2,…}, – Identities = {A,B,…}

• BASIC := Data | Keys | Random nonces | Identities

• TERM := BASIC | (TERM, TERM) | {TERM}Keys

• Messages are terms, e.g. N2 , {((B, N1), Ks) }K


Symbolic treatment of encryption

• Security for encryption is axiomatized

– Given {M}K adversary can compute M only if it has K

{M}K, K

M

KM,

{M}K

M1, M2

(M1, M2)

(M1, M2)

M1, M2


Computational treatment for encryption

• Messages are bitstrings

• Symmetric encryption scheme = (Kg, Enc, Dec)

– Kg(η) outputs a random bitstring k in {0,1}η

– Enc: {0,1}η × {0,1}* → {0,1}* (distribution on {0,1}*)

– Dec: {0,1}η × {0,1}* → {0,1}*

– It holds that: Dec (k, Enc(k,m) ) = m

• E.g. AES-CBC


Computational treatment for encryption

= (Kg,Enc,Dec) ;

Enc(K,_)b M0,M1 (|M0|=|M1|)

Enc (K,Mb)

b=?

Encryption scheme is IND-CPA secure if for all adversaries,

Pr [ Adversary guessess b] ½ + negligible function (η)


Security of double encryption:

• Is the message M secret ?

K K

A B

{ {M} K }K


Security of double encryption: symbolically

• Does there exist a derivation:

{{M}K}

K

………

M

{M}K, K

M

KM,

{M}K

M1, M2

(M1, M2)

(M1, M2)

M1, M2

using only:


Security of double encryption: computationally

Enc(K,(Enc(K,_))

b

M0,M1 (|M0|=|M1|)

Enc(K,Enc (K,Mb))

b=?


Security of double encryption: computationally

C

b=?

Enc(K,_)

b M0,M0

C0=Enc(K, M0)

M1,M1

C1=Enc(K, M1)

C0,C1

C=Enc(K,(Enc(K, Mb)

M0,M1


Two Paradigms for Protocol Analysis

Symbolic Approach

Abstract model

D-Y adversaries

Unclear how to ensure security of primitives

Proofs can potentially be automatized (theorem provers, model checkers)

Computational Approach

Concrete model

Powerful PPT adversaries

Clear definitions for the security of primitives

Complex protocols are difficult to analyze



Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method


Two ways of bridging the gap

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Apply methods/techniques from the red world directly in the blue world:

Bruno, Sylvain, Marion’s talks

Show that security in the red worldimplies

security in the blue world



1.Prove security in the symbolic model2.Apply the soundness theorem3.Deduce security in the computational model

Symbolic model

Security property

Symbolic proof

Computational model

Security property

Computationalproof

Soundness Theorems



Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Model

Security property

Proof method

Secu

rity

InS

ecu

rity

Secu

rity


Toy example

K K

A, N1

{N1, N2, Ks } K

{B, N2} Ks {D}Ks

A B

Is the data D secret?


Passive adversaries• A protocol run:

• Two interleaved sessions:

• Two interleaved sessions with corruption:

A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks

A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks

A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks


Defining secrecy, symbolically

To each expression associate a pattern:

For E={N1}K1,{{K1}K2

}K3,K3,{K3}K2

,

{{K1,N2}K3,K3}K2

patt(E)= ▓, {▓}K3, K3, ▓, ▓ (tentative

definition)patt(E)={N}K1,{{K0}K2

}K3,K3,{K0}K2

,{{K0,N}K0,K0 }K2


Defining secrecy, symbolically

• Definition: D is hidden in E if D does not occur in patt(E)

Is D1 secret in

A, N1, {N1, N2, Ks }K, {B, N2}Ks

{D1}Ks


Defining secrecy, computationally

Given:• a valuation f: {D1,D2,...} {0,1}n

• an encryption scheme = (Kg, Enc, Dec)

Define:[[ _ ]] : Expressions Distributions

f

A, N1, {N1, N2, Ks }K, {B, N2}Ks

{D1}Ks


Mapping expressions to (distributions on) bitstrings

{D1,{K5,N }K1}K1

[[ _ ]] : Expressions Distributions f

01000100…11011Kg

111101100…11101Kg

Enc( , ) 01000100…11011 11010101100…10001111101100…11101 00110100…11110

Blah…blah…(in binary)Enc( , )01000100…11011 11010101100…10001

11010101100…1000101010010100101111111111110100100101110100001101110000001010100001011101001

Blah…blah…(in binary)f

00110100…11110Rand



E={D1,{K5,N }K1}K1

[[ _ ]] : Expressions Distributions f

01000100…11011Kg

111101100…11101Kg

000101010000111f0

00110100…11110Rand

100110110001110f1

b=?

[[ E ]]

fb



Let E be an expression and an encryption scheme

The set T Data is computationally hidden in E if for any valuations

f0,f1 : Data {0,1}n

f0(D) = f1(D) for D Data -T

[[ E ]] ~ [[ E ]]

f0

f1

“~” means computational indistinguishability


Relation between two very different worlds?

• Is there a relation between the two notions of secrecy?

• More generally: what does security proved in the symbolic world mean for the computational world?

• Many symbolic versions of the same notion (e.g. two notions of patterns). Which one is right?

• Many security notions for the same primitive in the concrete world. Which one is right?


Let – E be an acyclic expression be an IND-CPA secure encryption scheme – arbitrary f: {D1,D2,…,Dn} {0,1}n .

Then:

Main technical result

[[ E ]]f ~ [[ patt(E) ]]f

{K}K

{K1}K2, {K2}K1

are not acyclic expressions


Proof idea

• Standard (but very general) hybrid argument

• Construct E1, E2, …, En such that – E1 = E– En = patt(E)– [[Ei]] ~ [[ Ei+1]]

• It is essential that E is acyclic


Soundness Theorem (Abadi, Rogaway (2000))

Let – Let E be an acyclic expression be an IND-CPA secure encryption scheme – Then:

T symbolically hidden in E T is computationally hidden in E


Proof

E[[ E ]]

f0

[[ E ]]f1

f0

f1

patt(E)[[ patt(E) ]]

f0

[[ patt(E) ]]

f1

f0

f1

Given: T is symbolically hidden in E (any D T does not occur in the pattern of E).

Want: Given any

f0,f1 : Data {0,1}n

f0(D) = f1(D) if D T then

[[ E ]]f0

[[ E ]]f1

indistinguishable from


Previous result an instance of:

Symbolic model

Security property

Symbolic proof

Computational model

Security property

Computationalproof

Soundness Theorems


(One) Hybrid argument

• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

• E2 = {K0}K2, {K0}K1, {D}K3

• E3 = {K0}K2, {K0}K1, {D0}K3



• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

• E2 = {K0}K2, {K0}K1, {D}K3

• E3 = {K0}K2, {K0}K1, {D0}K3

An adversary that distinguishes between [[E0]] and [[E3]] must distinguish between [[Ei]] and [[Ei+1]] for

some i



• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3

• E2 = {K0}K2, {K0}K1, {D}K3

• E3 = {K0}K2, {K0}K1, {D0}K3



Enc(k,_)b

k0,k1

Enc (k,kb)

• Generate k0, k1, k3

• Send k0, k1

• Receive c• Compute c1=Enc(k1, k3)• Compute c2=Enc(k3,d)• Output (c,c1,c2)

c

• E0 = {K1}K2, {K3}K1, {D}K3

• E1 = {K0}K2, {K3}K1, {D}K3


Questions:• Is D1 secret in:

• Is D1 secret in :

• Are D1 and D2 secret in:

A, N1, {N1, N2, Ks }K, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks,{D1}Ks

A, N1, {N1, N2, Ks }K, {B, N2}Ks {D1}Ks

A, N1, {N1, N2, Ks }K, Ks, A, N3, {N3, N4, Ks’ }K, {B, N4}Ks’, {D2}Ks’,{B,N2}Ks, {D1}Ks


Some difficulties

• The usefulness of a soundness theorem increases with its generality

• Is D1 secret in – gx, N1, gy, {N1, Ks }g

xy, {D1}Ks

– gx, N1, gy, {N1, Ks }gx+y, {D1}Ks

– gx, gy, gz, gxy, {Ks }gxyz, {D1}Ks

• Deal with protocols where gx1x2+x2x3+…+xnx1 occurs• How about in

– gx, gy, {N1, Ks }gxy, {D1}Ks, H(N1, D1)

– gx, gy, N1, {Ks }gxy, {D1}Ks, H(N1, D1)


Some difficulties

• Intuition a la Dolev Yao models may not always be right!

• patt({D}K1 {D,D}K2) = ▓ , ▓ = patt({D}K1 {D}K1)

• There exists IND-CPA encryption schemes for which encryption with the same key can be observed1. Strengthen the notion of security for encryption in the

computational world

2. Refine the notion of patterns in the symbolic world


Acyclicity

• Intuition a la Dolev Yao models may be wrong! • Is D secret in {K}K, {D}K?• There exist IND-CPA encryption schemes which

are completely insecure if used as above

• Is D secret in {K1}K2, {K2}K1, {D}K?• …?• Solutions:

– declare the above use insecure– define and construct key-dependent encryption


Computational soundness

• Relates symbolic and computational models so that security results transfer

• Why should we care– Symbolic formalisms:

• Gives insight into models• Justifies the use of symbolic models in a very

strong sense

– Cryptography:• Symbolic models are simpler, easier to understand• For large protocols with complex interactions life is

simpler

Symbolic methods for cryptography

Documents

Transcript of Symbolic methods for cryptography